Fake ‘Export License/Payment Invoice’ themed emails lead to malware

By Dancho Danchev

We have just intercepted yet another currently ongoing malicious spam campaign, enticing users into executing a fake Export License/Payment Invoice. Once gullible and socially engineering users do so, their PCs automatically join the botnet operated by the cybercriminals.

The following Mutexes:Global{CB561546-E774-D5EA-8F92-61FCBA8C42EE}Local{744F300D-C23F-6AF3-8F92-61FCBA8C42EE}Global{FD2CEE5F-1C6D-E390-0508-B06D3016937F}Global{FD2CEE5F-1C6D-E390-7109-B06D4417937F}Global{FD2CEE5F-1C6D-E390-490A-B06D7C14937F}Global{FD2CEE5F-1C6D-E390-610A-B06D5414937F}Global{FD2CEE5F-1C6D-E390-8D0A-B06DB814937F}Global{FD2CEE5F-1C6D-E390-990A-B06DAC14937F}Global{FD2CEE5F-1C6D-E390-350B-B06D0015937F}Global{FD2CEE5F-1C6D-E390-610B-B06D5415937F}Global{FD2CEE5F-1C6D-E390-B90B-B06D8C15937F}Global{FD2CEE5F-1C6D-E390-190C-B06D2C12937F}Global{FD2CEE5F-1C6D-E390-4D0C-B06D7812937F}Global{FD2CEE5F-1C6D-E390-650C-B06D5012937F}Global{FD2CEE5F-1C6D-E390-B50D-B06D8013937F}Global{FD2CEE5F-1C6D-E390-310E-B06D0410937F}Global{FD2CEE5F-1C6D-E390-610E-B06D5410937F}Global{FD2CEE5F-1C6D-E390-E90F-B06DDC11937F}Global{FD2CEE5F-1C6D-E390-ED0B-B06DD815937F}Global{FD2CEE5F-1C6D-E390-ED0C-B06DD812937F}Global{FD2CEE5F-1C6D-E390-B10E-B06D8410937F}Global{FD2CEE5F-1C6D-E390-6D0F-B06D5811937F}Global{5E370004-F236-408B-8F92-61FCBA8C42EE}Local{55E9553C-A70E-4B55-8F92-61FCBA8C42EE}Local{55E9553D-A70F-4B55-8F92-61FCBA8C42EE}Global{FD2CEE5F-1C6D-E390-D10F-B06DE411937F}Global{EEE5022F-F01D-F059-8F92-61FCBA8C42EE}Global{38E3341C-C62E-265F-8F92-61FCBA8C42EE}Global{340FE32E-111C-2AB3-8F92-61FCBA8C42EE}Global{340FE329-111B-2AB3-8F92-61FCBA8C42EE}MidiMapper_modLongMessage_RefCntMidiMapper_ConfigureMPSWabDataAccessMutexMPSWABOlkStoreNotifyMutexMSIdent Logon

It then phones back to the following C&C servers:213.230.101.174:1113787.203.65.0:12721180.241.97.79:1611483.7.104.50:1364784.59.222.81:10378194.94.127.98:2554998.201.143.22:1959578.139.187.6:14384180.183.178.134:20898

We’ve also seen the following C&C server IP (194.94.127.98) in previously profiled malicious campaigns: